Metropolitan Police IT breach could do ‘incalculable damage’ in the wrong hands

A Metropolitan Police IT system breach could do ‘incalculable damage’ in the wrong hands, the Metropolitan Police Federation has said.

Scotland Yard said it had been made aware of ‘unauthorised access to the IT system of one of its suppliers’, but it is unclear when the breach occurred or how many personnel might be affected.

The supplier in question had access to names, ranks, photos, vetting levels and pay numbers for officers and staff, but did not hold personal information such as addresses, phone numbers, or financial details.

“Metropolitan Police officers are out on the streets of London undertaking some of the most difficult and dangerous roles imaginable to catch criminals and keep the public safe. To have their personal details potentially leaked out into the public domain in this manner – for all to possibly see – will cause colleagues incredible concern and anger.

“We share that sense of fury… this is a staggering security breach that should never have happened. Our brave Police Officers – who give up so much to do this job – deserve so much better,” said Rick Prior, Vice Chair of the Metropolitan Police Federation.

The Metropolitan Police is now working with the company to understand if there has been any security breach relating to its data.

“The men and women I represent are justifiably disgusted by this breach. We will be working with the force to mitigate the dangers and risks that this disclosure could have on our colleagues. And will be holding the Metropolitan Police to account for what has happened,” added Prior.

The police force serving the Greater London has taken ‘security measures’ as a result of the IT breach. The matter has been reported to the National Crime Agency, and the Information Commissioner’s Office (ICO) is also aware.

“Given the roles we ask our colleagues to undertake, significant safeguards and checks and balances should have been in place to protect this valuable personal information which, if in the wrong hands, could do incalculable damage,” said Prior.

A spokesperson for the Metropolitan Police Federation said any potential leak ‘will cause colleagues incredible concern and anger’.

Investigate cybersecurity practices, say experts

Metropolitan Police chiefs should carry out a thorough investigation of the force’s cybersecurity practices following an IT breach, industry experts have said.

Experts said the possible data breach is ‘extremely worrying’, but unsurprising as cyberattackers frequently target third-party companies.

Jake Moore, Global Cybersecurity Advisor for software firm ESET, told the Press Association: “This is another extremely worrying episode of what we seem to be seeing quite a lot of this year. It is just worrying to think these police forces are coming under attack in what I would suggest are relatively simple ways.”

The breach on the Metropolitan Police appears to have been ‘a targeted attack to test the security within the supply chain’ where criminals were ‘looking for the weakest link’, according to Moore.

“The Met Police are extremely good at keeping their own data secure, but they do use third parties. As they have to use these parties, if they aren’t up to date with their own security then that becomes a weakness that could be targeted,” added Moore.

Moore suggested that current cybersecurity systems used by police forces, coupled with a lack of resources, may have led to flaws opening up.

“It is not impossible to stop this. It is to do with understanding where all your data is. When you amalgamate systems, particularly when police forces join together, they tend not to understand completely where all their data is or who has access to it, and that can cause problems down the line,” said Moore.

A complete analysis on who has access and why they have access to their data was recommended to reduce weak points.

“It will take time – not necessarily too much money – but it will take resources and people power to mitigate this in the future, and hopefully something like this will shake the boots of all the chiefs around the country to wake up and act faster,” said Moore.

Kevin Curran, Professor of Cybersecurity at Ulster University, agreed that the breach is likely to be down to ‘a third-party supplier issue’.

“I am not surprised. Data breaches are such a common occurrence and police are no exception. They have the same resources as a lot of other companies, where any data systems which have external access to the internet are a risk,” said Curran.

The Met should ask why third parties have access to such information and if the Met has the right data classification methods in place, advised Curren.

“It boils down to resources. Every organisation has to allocate a percentage of their IT budget to cyber security.

“It is a publicly-funded organisation, so there is only a finite amount of resources you have, but we do have best practices and guidelines in the industry on how to protect the systems, so maybe it comes down to someone conducting an external audit in the aftermath to see whether or not they are following these practices,” added Curran.

Data breaches and leaks plague UK police

The Met’s data breach follows an admission by the Police Service of Northern Ireland (PSNI) that personal data on all its serving members was mistakenly published in response to a Freedom of Information (FOI) request.

Details of more than 10,000 PSNI officers and staff included the surname and first initial of every employee, their rank or grade, where they are based and the unit they work in.

After the PSNI breach was revealed, Norfolk and Suffolk Police announced the personal data of more than 1,000 people – including crime victims – was included in another FOI response.

South Yorkshire Police has also referred itself to the ICO after noticing ‘a significant and unexplained reduction in data stored on its systems’.

The force said it is now urgently working with experts to recover footage filmed by officers as they attended incidents or engaged with the public and which, in some cases, could be used as evidence in court.

A spokesperson for the National Crime Agency said: “We are aware of the cyber incident and we are working with law enforcement partners to understand the impact.”

Hungry for more tech news?

Sign up for your weekly tech briefings!